diff --git a/admin/student_editor.php b/admin/student_editor.php index b93581c..0790708 100644 --- a/admin/student_editor.php +++ b/admin/student_editor.php @@ -29,6 +29,28 @@ $registrations_id = intval($_GET['id']); $action = $_GET['action']; +/* Extra restrictions for auth_type = fair */ +if($auth_type == 'fair') { + $fairs_id = $_SESSION['fairs_id']; + + if($registrations_id == -1 && ($action=='registration_load' || $action == 'registration_save')) { + /* we can't check the project it hasn't been created. */ + } else { + /* Make sure they have permission to laod this student, check + the master copy of the fairs_id in the project */ + $q=mysql_query("SELECT * FROM projects WHERE + registrations_id='$registrations_id' + AND year='{$config['FAIRYEAR']}' + AND fairs_id=$fairs_id"); + if(mysql_num_rows($q) != 1) { + echo "permission denied."; + exit; + } + /* Ok, they have permission */ + } +} + + switch($action) { case 'registration_load': registration_load(); @@ -77,6 +99,7 @@ exit; function students_save() { global $registrations_id, $config; + $x=1; while($_POST["num"][$x]) { if($_POST['id'][$x]==0) { @@ -155,11 +178,12 @@ function students_save() function students_load() { - global $registrations_id; - global $config; + global $registrations_id, $config; //now query and display - $q=mysql_query("SELECT * F ROM students WHERE registrations_id='".$registrations_id."' AND year='".$config['FAIRYEAR']."'"); + $q=mysql_query("SELECT * FROM students WHERE + registrations_id='$registrations_id' + AND year='{$config['FAIRYEAR']}'"); echo mysql_error(); $numfound=mysql_num_rows($q); @@ -381,7 +405,7 @@ function students_load() function registration_load() { - global $registrations_id, $config; + global $registrations_id, $config, $auth_type; /* Load reg data */ if($registrations_id == -1) { @@ -409,12 +433,13 @@ function registration_load() } } - /* Load fairs */ - $fairs = array(); - $q = mysql_query("SELECT * FROM fairs WHERE type='feeder'"); - while(($f = mysql_fetch_assoc($q))) { - $fairs[$f['id']] = $f; - } + } + + /* Load fairs */ + $fairs = array(); + $q = mysql_query("SELECT * FROM fairs WHERE type='feeder'"); + while(($f = mysql_fetch_assoc($q))) { + $fairs[$f['id']] = $f; } /* Print form */ @@ -443,15 +468,19 @@ if(count($fairs)>0) { ?>